Skip to content

Commit 776c4da

Browse files
authored
Pin MessagePack package version to fix restore audit warning (#7484)
1 parent 3d2787f commit 776c4da

5 files changed

Lines changed: 9 additions & 0 deletions

File tree

Directory.Packages.props

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -110,6 +110,7 @@
110110
Once the packages depending on these packages are upgraded, these PackageVersions can be removed.
111111
-->
112112
<ItemGroup>
113+
<PackageVersion Include="MessagePack" Version="2.5.302" />
113114
<PackageVersion Include="Microsoft.IdentityModel.JsonWebTokens" Version="5.7.0" />
114115
<PackageVersion Include="System.IdentityModel.Tokens.Jwt" Version="5.7.0" />
115116
</ItemGroup>

src/NuGet.Clients/NuGet.VisualStudio.Contracts/NuGet.VisualStudio.Contracts.csproj

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,8 @@
2222
These packages are dependencies of directly referenced PackageReferences.
2323
When the above PackageReferences are upgraded to newer versions, try deleting the below PackageReferences
2424
-->
25+
<!-- Microsoft.ServiceHub.Framework has a dependency on a vulnerable version of MessagePack. Once it no longer has a transitive dependency on a vulnerable version, this can be removed -->
26+
<PackageReference Include="MessagePack" />
2527
<!-- We do this to avoid the warning our build raises about keeping a consistent newtonsoft.json version. We don't need newtonsonft.json type in here, we don't use it. -->
2628
<PackageReference Include="Newtonsoft.Json" PrivateAssets="all" ExcludeAssets="all" />
2729
</ItemGroup>

src/NuGet.Clients/NuGet.VisualStudio.Internal.Contracts/NuGet.VisualStudio.Internal.Contracts.csproj

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,8 @@
99

1010
<ItemGroup>
1111
<PackageReference Include="Microsoft.VisualStudio.Sdk" />
12+
<!-- Microsoft.VisualStudio.Sdk has a dependency on a vulnerable version of MessagePack. Once it no longer has a transitive dependency on a vulnerable version, this can be removed -->
13+
<PackageReference Include="MessagePack" />
1214
</ItemGroup>
1315

1416
<ItemGroup>

src/NuGet.Clients/NuGet.VisualStudio.Interop/NuGet.VisualStudio.Interop.csproj

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,8 @@
1616
<ItemGroup>
1717
<PackageReference Include="Microsoft.VisualStudio.Shell.15.0" />
1818
<PackageReference Include="Microsoft.VisualStudio.Shell.Styles" />
19+
<!-- Microsoft.VisualStudio.Shell.15.0 has a dependency on a vulnerable version of MessagePack. Once it no longer has a transitive dependency on a vulnerable version, this can be removed -->
20+
<PackageReference Include="MessagePack" />
1921
<PackageReference Include="Newtonsoft.Json" ExcludeAssets="all" />
2022
</ItemGroup>
2123

test/NuGet.Tests.Apex/NuGet.OptProf/NuGet.OptProf.csproj

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,8 @@
1616
<ItemGroup>
1717
<PackageReference Include="Microsoft.Test.Apex.VisualStudio" ExcludeAssets="Compile" GeneratePathProperty="true" />
1818
<PackageReference Include="Microsoft.VisualStudio.Sdk" />
19+
<!-- Microsoft.VisualStudio.Sdk has a dependency on a vulnerable version of MessagePack. Once it no longer has a transitive dependency on a vulnerable version, this can be removed -->
20+
<PackageReference Include="MessagePack" />
1921
<PackageReference Include="MSTest.TestAdapter" />
2022
<PackageReference Include="MSTest.TestFramework" />
2123
<PackageReference Include="Newtonsoft.Json" NoWarn="NU1605" />

0 commit comments

Comments
 (0)